Trojan Horse

13

Jeff was awakened by pounding on his hotel door. Disoriented, he sat up in bed and slid his feet onto the carpet. He rubbed his eyes as the pounding continued.

He’d been exhausted by the time he reached his hotel room in Geneva. Just after the final meeting at Whitehall, he’d texted Daryl to confirm he was flying to Geneva. Then just before takeoff and after landing, he’d called but had gone to voice mail both times. He decided she was earning some well-deserved rest. Once in his room, he’d ordered a room service sandwich, taken a quick shower, then gone immediately to sleep.

Drowsy, stumbling like a drunk, he went to the door and checked the peephole. There she was, grinning at him. He threw open the door. “What are you doing here?” he said as Daryl walked into his arms. She felt good and smelled sweet.

“Hi, big guy,” she murmured. “Couldn’t let you have all the fun, now, could I?”

When he finally let her go, he carried her luggage into the room and set it down. “Really,” he said, “how did you know where to find me?”

Daryl gave him a smile. “I’m a supersecret cyber agent, remember? I have friends in the CIA.” She laughed. “I just contacted Frank, then he made a call. I was on a direct flight while you were still in the air. I was so beat I took a pill and slept the whole way.” She glanced around the room. “No bimbos. That’s good.”

She pulled open the curtains. “Just look!” she exclaimed. Through the window was a lovely view of a well-tended park and beyond it the azure Lake Geneva backed by the Alps.

“Let’s order breakfast,” she said, turning back to him. “I skipped the one on the flight so I could eat with you.”

“Sounds good. Go ahead while I take a quick shower.”

Inside the bathroom, satisfied he’d grasped the idiosyncrasies of the shower handle, he turned the water on, waited a moment, then stepped in, pulling the curtain tight. The hot water bathed his body as he turned slowly. It was wonderful. It felt like a week since he’d washed. It was good having her here. Very good. Just then the curtain drew back and through the steam a naked Daryl stepped in.

“Want me to scrub your back?” she asked. “We’ve got time before food arrives.”

As it was, they kept the waiter waiting as Jeff threw on a hotel robe and let him in while Daryl hid out in the bathroom. He signed, gave the young man a lavish tip consistent with his mood, closed the door, then rapped on the bathroom door. “Food’s here. You can come out now.”

Daryl had brushed her teeth and run a comb through her hair. Without makeup in the strong morning light she was gorgeous. They both dug into the American-style breakfast she’d ordered.

“This is a very nice surprise,” Jeff said between bites.

“I’m just sorry it’s taken so long. I really have been trying to get free. We can take a trip. With me here to help, you’ll get it done in half the time, probably sooner since I’m faster at this than you are.”

“Says who?”

“My mom.” Daryl took another bite. “I can’t help thinking the Iranians aren’t sophisticated enough for this. I’m not saying some Iranian, somewhere, might not have the knowledge and be able to do this though it seems like a team creation and it’s pretty clearly a government operation. I just don’t see the mullahs managing it, do you?” Daryl no longer sounded tired. She was back on the chase. “In fact, I can’t recall a single incident of cyber code coming out of Iran. How about you?”

Jeff thought a moment. “Nothing. And one of us would have heard if there existed an ongoing Iranian government department tasked for computer interdiction. From all reports their computers are under near-constant cyber-assault. I don’t see them having the energy for this. Just think about Stuxnet and all the harm it’s caused. They’re awfully busy countering that.”

Stuxnet was to date the most sophisticated Trojan ever invented. Commonly accepted to be a digital weapon devised and launched by an opposing nation, it had all but brought the Iranian nuclear weapons program to its knees. No one claimed authorship but nearly everyone in the cyber industry believed it was a product of Mossad and CIA working together.

In fact, Jeff and Daryl were all but convinced they’d worked on a Stuxnet-like project for three months the previous year. They’d been asked to submit a bid to Frontline Integrated Systems, or FIS, a specialized software company that worked almost exclusively as a vendor for various U.S. intelligence agencies. Their task was to locate zero day vulnerabilities in Android’s wireless services, WiFi and Bluetooth. Android was the mobile operating system used by a large number of cell phones. Once the vulnerabilities were identified they were to develop reliable exploits. The self-evident though unstated goal was to create a hole through which malware could jump from other systems to Android phones, and vice versa.

Jeff and Daryl were committed to the practice of responsible disclosure, which meant that whenever they encountered a zero day software vulnerability, they felt morally obligated to advise the vendors privately so the holes could be patched before they became generally known. But in the world of cyber warfare, such vulnerabilities were extremely valuable. A government agency would not disclose them because the vendors would then patch them, destroying their value. The couple had resolved this seeming conflict after they accepted the nature of cyber warfare and because their contacts at the CIA and NSA adopted a policy of disclosing such vulnerabilities one year after discovery or when they were exploited by someone else, whichever came first.

It was a compromise, one that in an ideal world they’d not have made, but theirs was not an ideal world. Cyber warfare was the new battleground between the great powers and it was a war the United States and the West had to win.

They’d received the contract for Project Tusk for a flat fee with a bonus for every zero day vulnerability they uncovered. They’d found one vulnerability in the Bluetooth stack, two more in the core WiFi driver as well as another two in the GPS driver.

“Maybe they outsourced it,” Jeff said as he buttered a second piece of toast. There were plenty of criminal groups around willing to do the work for a price. There were, however, inherent problems with that approach. If someone, even or especially a hired gun, learned enough about you to graft an attack on others it was not difficult for them to turn their creation back on their employer or resell what they created.

“Anything’s possible, I guess. But can you imagine a hacker writing code that clean?” Criminal cyber-gangs in the former Soviet Eastern bloc nations had turned such operations into a vast illegal financial industry but their code was often sloppy and until now, always identifiable for what it was. Was it possible one such group had raised the bar so dramatically?

“It doesn’t seem to get the Iranians very much,” Daryl continued. “So they read this Herlicher’s files, even altered a copy of the final report to say there will be no Iranian nuclear bomb. So what? Such a mistake can be explained and is sure to bring people like us on the scene as soon as they changed something important. From what I’ve read they just want to get their nuclear bomb detonated so they can get on with their quest to become a major world player.”

“And then arrange for it to be used.”

“That’s right.” She paused. “I’ve often wondered why there is so little concern about them getting the bomb. Look what they’ve done financing terrorist groups worldwide. Don’t people see what they do? And even if by some miracle they don’t turn it over to their terrorist minions to use, they’ll bully their way into complete Middle East dominance. After all, when it was still called Persia, the country had a long history of controlling the region. What’s it going to take to wake people up? A nuclear wasteland? The lights going out in their hometown for a month? Sometimes I just want to scream.” She stopped, drew a deep breath.

“It’s all right, Daryl.”

“No, it’s not!” she said. “That’s why I’m so upset. Look, getting back to this thing, I think it’s someone a lot more competent than Iran, someone with a more expansive agenda.”

Jeff considered that as they finished their meal and dressed. It made a lot of sense.

“So, you give this another two or three days to figure this thing out?” Daryl said, her mood having lightened. Jeff nodded. “I was thinking on the way over that Italy is very romantic, according to all the books and shows. Rome, Florence, Venice. We can see the city in a gondola while you serenade me.”

“You’ve got me mixed up with the gondola guy. He does the singing.” Jeff leaned over and kissed her. “You’re a woman of wonderful surprises. I love you.”

“Keep talking like that and I might go ring shopping.”

He pulled her tight. “I can think of worse things.”

As they left the hotel, the view of the shimmering lake and distant mountains crowned with white clouds was gorgeous. They had a clear view of the famous Jet d’eau, the enormous jet water fountain, visible from nearly anywhere in the city. Jeff had heard that Geneva was known as a dreary city but from what he’d seen it didn’t seem possible. So far he’d found it quite charming, though he suspected his companion had something to do with that.

The Palais des Nations, where UNOG was located, was a brief walk up the Rue de Lausanne to the Avenue de la Paix, the Avenue of Peace. Jeff noted that there were no visible guards on the grounds or immediately outside the building. The entrance was some distance from the street, reached via a long concrete walkway across a vast expanse of well-tended garden. Exterior security was either out of sight or depended in large part on the inherent stability and law-abiding nature of Swiss society.

Henri Wille, the security chief, was waiting to receive them at Pregny Gate, the usual entry point for first-time visitors. He was in his forties, trim and fit, and looked every inch Swiss with blond hair, fair skin, and deep blue eyes. Though wearing a suit, on his left breast was a distinctive badge. As the designated Interpol agent for UNOG he’d been alerted by the UK Foreign Office of the arrival of two key computer security experts and had been instructed to see to them personally. Frank Renkin had already alerted Graham Yates that Daryl would be joining Jeff. He’d been delighted because her reputation, if anything, exceeded that of Jeff’s.

After introductions, Henri asked Jeff and Daryl to go to a nearby room to have their photographs taken. A few minutes later they received a badge to wear whenever in the building.

“It will grant you near universal access,” Henri said. “If you require anything at all related to security come to me directly.” He wrote his cell number on the back of a business card and gave it to Jeff. He then escorted them to the UNOG IT office and bid them good-bye.

The head of IT was out of the country and they were briefed instead by his assistant who introduced himself as Nikos Stefanidou. Short, with a bushy mustache, he was not happy with their presence. “This is a matter I believe we are capable of handling but others have decided to the contrary,” he said with clipped words. “I will do what I can for you.” He’d not risen from behind his desk.

“You have the computer here?” Daryl asked. It was standard procedure to disconnect the machine from the network and move it to the IT center so no one could do anything to it.

“No, it has remained in Mr. Herlicher’s office. He was told not to use it.”

Jeff raised an eyebrow but said nothing.

“Have you had other reports of infection in the building?” Daryl asked.

“I couldn’t say.”

“Does that mean ‘yes, you have,’ or ‘no, you haven’t’?” Jeff said.

“I couldn’t say.”

“I suggest we get working, then,” Jeff said. There would be no help here. “Can we see the computer, please?”

Franz Herlicher, the German technocrat, was a weasel in Jeff’s opinion. He’d given them each a curt European handshake and a quick bob of the head before turning his computer over to them with obvious reluctance. “I must attend a meeting, which will last several hours so you will have the office to yourself. Of course, I will make it available as you need thereafter. I only wish to cooperate and clear up this terrible misunderstanding.”

“Before you leave, could you tell us what happened?” Jeff asked.

“I’m sure you already know. That’s why you are here.” Herlicher pulled himself upright.

“It will be useful to hear it from your perspective,” Daryl said.

Herlicher looked at one of them, then the other, unable to decide just who he should address. “All right then,” he said, deciding on Jeff. He was the man, after all, but with Americans you could never be certain. “I had finished a late draft of the report, which was essentially the final report, pending approval of the specific language by my superiors. I then forwarded it to Mr. Walthrop at Whitehall but what he—”

“He’s part of the approval process?” Daryl asked.

Herlicher swallowed. “Not… not exactly. He’s a colleague and this report was very important to him. I wanted… his input.”

“Go on,” Jeff said.

“There’s nothing else.” Herlicher looked exasperated. “I received this most horrid message from him — you can see it yourself in my computer — denouncing me as a liar! It was very unsettling, I can tell you. I’m not accustomed to such language. It was simply awful! I e-mailed to assure him there had been some kind of technical mistake but he didn’t reply. Then… then I checked the report and…” Herlicher stopped, apparently unable to continue. He took a white handkerchief from a pocket and dabbed his moist brow.

“Then what?” Daryl said, when it appeared he wasn’t going to continue.

“The report wasn’t the same! It had been… rewritten. It’s quite impossible.”

“Perhaps someone here made the change,” Jeff suggested.

Herlicher shook his head. “I already considered that possibility. I always lock my office when I leave and only two other people have keys.” Neither statement was true, of course, but Herlicher wasn’t going to present any version of events but the most proper.

“Still, the room must be cleaned and no security measures are ever airtight,” Jeff said.

“Yes, I see your point. We do have some… less trustworthy types working here in menial positions. But that wasn’t the problem.”

“How can you be certain?” Daryl said.

Herlicher had watched a number of American detective motion pictures. He understood the “good cop/bad cop” technique he’d seen in them. He feared that was what was going on. Did these two suspect him? Surely not. He’d been told their presence was confirmation of what he’d suggested, that something had penetrated UNOG’s cyber defenses, that he was not to blame for what had happened. But that might very well be a lie. They might just be here to trick him.

He pulled himself upright. “I am absolutely certain our building security was not compromised. You see, after I wrote the e-mail to Mr. Walthrop, I attached the document. I then opened it and proofread it a final time. I always do this with important files. The moment I finished reading it, I closed the file and sent it, all but simultaneously. I assure you, the file I sent was the one I wrote. The problem must be at his end. Now, I must go to my meeting. I wish you well in your investigation.”

“One last question,” Jeff said. The man stopped. “You affixed the digital signature before sending the e-mail?”

“Of course! Always on official documents. Now, good day.”

Daryl watched the man walk off in a huff. Still, what he’d said, if true, was most interesting. She moved to a spot where she could work as Jeff sat at the man’s computer. Another windowless office, she thought, as she linked to the computer and booted it up. Maybe she should get a job as a park ranger or something.

“He’s been deleting files,” Jeff said within a few minutes. “Looks like communications with other agencies. Probably sharing things he’s not supposed to.”

“Jerk.” She looked at her screen, which duplicated the one Jeff saw. “And he doesn’t know diddly about how to hide it. Okay, Superman, let’s see what you’ve got now that you’ve had a full night’s sleep and been laid.”

“Let’s start with the obvious,” Jeff said. He went to the folder containing the file and opened it. “See it?” He read it through. “This one is different from the one Whitehall received. It reaches a different conclusion. That’s odd.”

“How?” Daryl asked.

“Until now I’d been thinking the virus allowed the interloper to alter the file in Herlicher’s computer. I’d assumed he’d sent it along without double-checking, placing the signature on it at that time. But this report is not the one Whitehall received. That makes no sense.” Daryl drummed her fingers. “What?”

“Just thinking. What if the change was made after the report was attached? This e-mail program holds its own copy of the file. Hang on.” Daryl opened the attachment with the message to Walthrop in the “Sent” folder. “Whoa,” she said. “This one is the same as the one Whitehall received. It’s altered.”

“Let me check the signature.” When Jeff was finished, he said. “Yup, the signature is valid and the same.”

Neither of them said anything for a long minute.

Daryl spoke first. “Someone used this Trojan to access the OW file after it was attached to the e-mail and altered its language before the digital signature was generated.” She paused, then said, “This is unbelievable.”

“Let’s get a handle on this thing,” Jeff said finally, and the pair went to work. Because of what he’d learned in London the process went quickly and within ten minutes he had located the Trojan. “There’s the nasty little thing,” Daryl said, spotting it on her screen as well.

“What we’re postulating is that this guy sends the correct file, but it’s altered at the moment it’s sent as an e-mail attachment. And there is no evidence it was been tampered with. Jeff, they didn’t just change a word. They rewrote the report! How can you do that in the middle of an e-mail transmission?”

“I have no idea. Let’s find out.”

For the next few hours they worked at unraveling how their Trojan functioned. They discovered that it was not hard-coded with commands when it was created and embedded. While these would work in most circumstances to accomplish what the author wanted, such an approach did not permit any degree of flexibility. The virus could only do what it had been preprogrammed for at creation. Instead, the Trojan was sophisticated enough to be programmed with script-language, which gave the author enormous flexibility. This was why it was so aggressive and clever in seeking out a domain from which to receive updates and orders.

Searching further they found snippets of script in memory that enabled the Trojan to copy Herlicher’s e-mail messages whenever they were sent. The copies were kept in memory for later uploading to the control servers. The Trojan then periodically probed the file servers he was connected to, grabbing any documents Herlicher could access.

For the rest of the day they pored over networking logs and reverse engineered the malware, stopping from time to time to brainstorm. At one point, Herlicher stuck his head in the office and asked how they were doing.

“What do we do about lunch?” Daryl said by way of answer.

“I… there’s a cafeteria on this floor, that way. It’s not bad. The cooks are French.”

After Herlicher left, Daryl went for food and brought it back. They ate as they discussed their latest findings. “One of the unique characteristics of this thing,” Daryl said, “is that it retains itself and any documents it copies in the computer’s memory.”

“We didn’t find anything in the memory scans,” Jeff said, biting into a croissant. Why were they always so much better in Europe than back home?

Operating systems like Windows use a technology known as virtual memory. Its effect was to give programs the illusion that the computer had more Random Access Memory, or RAM, than it actually did. It accomplished this by writing out infrequently accessed data and code to a paging file on the disk. When the program accessed that data or code again, the operating system simply read it back into RAM from the paging file.

“There’s no sign of the document, either the original or altered one, in RAM now,” Daryl said. “Maybe the operating system wrote a copy of it to the paging file when the virus had it in RAM around the time that it replaced the original in Herlicher’s e-mail, but before the Trojan deleted the altered copy from RAM.”

“Now that’s original, and devious. Someone’s put their thinking cap on.”

For the rest of that day, they used a special tool Daryl had previously written for their forensic tool kit. It copied the contents of the paging file, something that wasn’t possible when the operating system was running. They then copied the data to an external disk they connected to their laptops.

“Let’s see,” Daryl said. She launched the scan and a few minutes later discovered pieces of the altered document scattered around the file. This was extraordinary.

“So that was it, smart lady. Who said you were just another pretty face?”

“Yeah, right, smart aleck,” she said, with a laugh. “We’re lucky they didn’t include turning off the computer in their pathetic incident response policy.”

While what they’d found was not direct evidence that the Trojan altered the document, it constituted substantial anecdotal evidence. They also checked copies of the document on the file server and those backups were the original document. The copy on the e-mail server was the altered version, and they discovered more bits and pieces of the alterations in the paging file.

Daryl’s laptop flashed an alert. “Looks like the Company wants to talk.”

14

Colonel Jai Feng scanned the three oversized computer monitors at his workstation, taking in the data with a single practiced glance. He lifted another Hongtashan cigarette to his lips and took a long pull, the strong smoke delivering a jolt of nicotine almost immediately. He lifted his cup of coffee, long cold, and drained it.

Feng was dissatisfied with the progress of his team. He was under relentless pressure from Beijing to produce results and it seemed to him everything was going much too slowly. Working for him were the finest computer minds in China. Everyone was proficient in English while a number, though too few for his needs, were fluent. They were highly trained, highly skilled, and dedicated to the work, if not for the greater glory of China, then for the greater advancement of their careers.

The problem, Feng knew, was that he was overextended. When he’d first taken control of the PLA’s Cyber Warfare Center, the operation had been quite modest and expectations low. But as he expanded its scope, and demonstrated time and again the usefulness of what he was doing, both resources and demands had increased.

He’d realized the year before that he needed to reorganize but doing so would be a major interruption in his ongoing operations. This was no time for that. Matters were much too crucial to risk it. And, of course, there were laurels to be had, a promotion to receive if he left things as they were with him in sole charge. But once he split command the inevitable would happen. It was human nature. Those who’d been hired by him, advanced by him, those who owed everything to him would slit his bureaucratic throat in an instant to jump over him in promotion. Time enough for that after he was made general and relocated to Beijing.

Angry with developments in his two main projects, he pushed himself away from his desk and set off on one of his unpopular lightning tours. The warfare center occupied all five floors of the modern building though the heart of the operation was on the second, third, and fourth floors. The second was dedicated to military penetration. Feng’s unit there enjoyed extraordinary success in penetrating the U.S. Department of Defense databases. Its most recent triumph had been the penetration of the U.S. Pacific Fleet Command computer structure. The fourth floor was where the malware was crafted. Bright — very bright — software engineers were constantly thinking down the road, anticipating the next moves, both theirs and their adversaries, and generating clean, effective product. Feng knew that his long-term success depended on just how good these young minds performed.

Today, Feng took the interior fire-escape stairs and emerged on the third floor. He was preoccupied with cyber operations and that meant this floor. Here, dedicated teams conducted widespread and often very specific information gathering from thousands of crucial targets. Whenever an area vital to China’s interest was involved, a team learned everything they could about those involved. In this increasingly digital world, that was often a great deal indeed. Most helpful had been the development of a Trojan they’d implanted in various telephone networks, giving them access to the in-house tracking of individual numbers. The networks did this routinely to assist them in determining service demand at specific locales.

There were, however, two immediate cyber operations about which Feng was most concerned. Four days earlier, he’d watched an elite team conduct a test of their system implanted in the WAyk5-7863 power grid located in the eastern portion of the state of Washington in America. The Trojan had been meticulously placed there the previous month. His team had run tests until it was certain the malware would work as intended.

This was the most sophisticated power grid Trojan China had ever developed, and was key to Feng’s long-term strategy. Its potential was so enormous that he had not breathed a word of its existence to anyone in authority. He had to be certain it did what he was promised, then it had to be meticulously insinuated into the entire American grid system.

Feng’s work was much like defending against a terrorist attack, he often thought. No matter how many times a nation successfully thwarted such an attack, the terrorists only had to succeed once. In his case, no matter how long his Trojans loitered in the targeted computers, or how successful his mission, he only had to be uncovered once. Then the tree would fall, as his grandmother had often told him, and the monkeys would scatter.

Feng often cautioned his young geniuses to be careful. Youth was impetuous, he knew. Reining in such passions totally was all but certain to be impossible. Mistakes would happen, they had in fact already happened, but none had as yet come back to them. He was satisfied the carefully crafted and planted Trojan would not be detected. So much malware, from any number of sources, already permeated the grid’s software that his in effect hid amid the trash. Through this technique they’d managed to hide and cover their trail, to muddy the waters so to speak, leaving responsibility pointed elsewhere if it came to that.

Or so he hoped.

Feng had selected the hour after midnight in his targeted area for the actual test, a time when the consequences would be minimal. He wanted nothing dramatic to happen. For that reason the test had to be short.

It lasted just fourteen minutes. And the effect had been as comprehensive as Feng had been assured. Yakima and the surrounding region had been plunged into darkness. In crucial areas backup systems had sprung to life but in many cases these had been poorly maintained or untested and they’d failed at the crucial moment.

Feng had been delighted, especially when shown a satellite image of the area, a black blot surrounded by pinpoints of light. Then the reports of deaths and accidents had come in. A train stranded by the power failure had been rear-ended by another. The loss of life was scant as these were freight trains but entire cars had plunged into a canyon. An engineer and four others were killed. And there’d been a hospital death, a patient who died during surgery when the power was extinguished. There’d also been auto collisions, people trapped in elevators — all the things he’d expected. And so far there was not the slightest suspicion that the Chinese had done it.

There was, as well, his UNOG penetration. For more than a year another special unit had labored to crack cyber-security at the United Nations. That itself had not been so difficult, as well as planting the various malware they required for their project. Handling it all with delicacy though demanded great care and restraint. Planning when and where to act was even more daunting.

They were now reproducing the keystrokes of dozens of UN officials and recently, through the use of an amazing bit of word-processing code, had begun to access their files directly. With this information they’d slowly determined the central players.

Now, the latest variation allowed his people to alter files. Just as significantly the digital signature could be delayed and set in place after the revised document was ready. He’d reported this development of necessity, cautioning it should not be used carelessly. Given time his people could cause enormous damage to the United Nations but he was limited in how fast he could perform such work.

Then, with this program barely underway, he’d been ordered to modify the Iran nuclear report. Feng had balked, pointing out that the deception would be discovered at once and his long-term plans thwarted. Though his best people were busy modifying documents within the UN computers in Geneva and New York, they had not yet achieved the desired penetration because he lacked sufficiently skilled technicians able to express themselves in the proper English.

But his objections had been overruled. Someone wanted to delay any military action against Iran, to give them just a bit more time to detonate their first nuclear bomb. Iran had assured them it was imminent. Feng knew better and told his superiors the reality as he understood it. While the Iranians were close they were still hampered by their infected computers. In some cases they’d been reduced to handling issues by hand on a whiteboard. If they could inoculate their computer system from this Stuxnet pestilence the final steps could be accomplished in a few short weeks. As it was…

Feng still burned at the thought of the error left in the latest variation of the code they’d embedded in UNOG. When it had followed the path to London it had not worked. A flaw in the exploit code had caused OfficeWorks to crash. That should never have happened. On top of it, they had sent the malware with the altered document. They should have sent it in an unaltered file to avoid drawing attention. Now, the entire project was in jeopardy. Those bright kids had failed.

His protestations to his superiors about employing the software in such an obvious manner were pointless, he realized. The botched work by his team had led to early detection regardless. He’d have to find out who’d made the mistake; Feng’s instructions had been specific.

He just wished he’d had a little more time. Iran’s nuclear program had been brought to a virtual standstill by this Stuxnet worm. His people had devised, then he’d dispatched in stages, countering software to Iran as quickly as it could be developed, and while it had slowed the damage Stuxnet caused, it had not stopped it. The worm was constantly morphing, altering its approach, infecting operational parts of equipment by planting itself within the control computers.

The most frustrating part of the process had been the refusal of those above to allow his team to send these patches digitally. He’d assured them time and again that there were secure e-mail routes or ways to download from the Internet that would never trace back to China. But the role his operation played in assisting Iran was considered highly sensitive, one in which plausible deniability was the paramount consideration. Because of the need for speed he’d persuaded them to allow the first step in transmitting the patches to be electronic. After that a courier, a mule, was used. It added two to three days to the transfer time but Feng had been told the decision was final.

Feng was worried. New versions of Stuxnet were periodically released and he was certain that another had been designed to reinfect any untainted new computers. Only Feng’s software could prevent it. And this needless, senseless, delay of two or three days to give some aging party official a bit of ease only increased the likelihood that an exploit would be implanted. The last version of Stuxnet had been more destructive than the first. He didn’t want to think about what was to come. Despite the best efforts of the Iranians, the strains managed to find a way in.

Iran’s program had already been so damaged and delayed the country had taken the unprecedented step of replacing thirty thousand computers to get a fresh start. Feng had cautioned against this approach before his work on Stuxnet had reached a more developed stage but the Iranians were paranoid about the “air gap” again being penetrated as it had previously been by thumb drives. They refused to wait, convinced they’d solved the problem on their own with stricter precautions.

As a consequence, Feng had a team working feverishly on a comprehensive counter for the new Stuxnet strain they’d detected in the systems, which went to the heart of the worm. This counter could be patched into the fresh network to keep it free from infection. He believed they nearly had it, that this new megapatch would suppress any Stuxnet variation, though nothing was certain. Feng had wanted this patch to be in place before the UNOG Trojan was employed as its discovery would likely speed up deployment of the new Stuxnet variant before it was implanted. But he’d been assured the UNOG software would not be detected and had gone ahead; then the software had been disclosed by orders from Beijing and the incompetence of his own people.

The one thing certain in all this, and the cause of Feng’s great unease, was that if things went wrong he would take the blame.

At the UNOG team work area, Feng approached the supervisor. “Tell me.”

The young man looked up, startled by his superior’s unexpected presence. “Someone is conducting a forensic examination on the principal target computer in Geneva.”

A rush of acid bathed Feng’s gut. “That is unfortunate.” But to be expected, he thought. “Has he found our plant?”

“I can’t say for certain. We’re not able to follow his movements.”

“Continue to monitor his work, but put a team on UNOG’s recent communications and learn his identity. That is priority. You are to provide me with an update every hour until you have that. Also, inform me of just how much he has learned if possible.”

“Yes, sir. The target sent an e-mail informing a colleague a cyber-expert was arriving from London, an American apparently. Someone disconnected the computer about the time he was scheduled to arrive so we’ve been blind. We’ll remain on this and work our other sources.”

Feng placed his hand on the young man’s shoulder. “I know you will do your best. Put a team on the identity. That is crucial at this point.”

Feng went to the elevators and returned to his office. If the forensic investigator was good enough he just might find their plant. They’d hidden it well, cleverly, but it existed in that computer. The cloaking they’d given it might be discovered despite the assurances of his people. He needed to stop this man at once. And for that he required a photograph and a name.

In his office, Feng sat at his desk and promptly lit another cigarette as he considered how to proceed. He glanced out the window and scanned the skyline of Urumqi, taking in the snowcapped Tianshan mountain range. Winter was passing yet the mountains were still clothed in a glowing white. Below was the usual urban haze, the pollution associated with progress throughout China.

Feng was from Kunming in Yunnan Province in southern China, just touching Vietnam. Known as the City of Eternal Spring he’d not fully appreciated its magnificent climate until he’d been posted to Urumqi. Despite its majestic view of the mountains and its historic location as one of the principal cities of the old Silk Road, this was an arid region, with long dry winters and long, even dryer summers.

Feng longed to be home in beautiful Yunnan. Except for his wife and son, all his family were there. But leaving all that was the price he’d paid to ambition. He was not alone in that regard. Nearly every man of today’s China was required to give up a part of himself for advancement. There was no turning back now.

He glanced at his coffee mug and wondered just when it was he’d given up the wonderful teas of his youth. At some point he’d given in to the preferred drink of the West. Everyone in his generation on the rise had, he believed. Like American cars, coffee was a badge of personal progress.

Feng understood that the People’s Liberation Army Cyber Warfare Center had been located here to remove it from prying eyes. Urumqi was tucked away in a corner of largely desolate western China. No foreigner could come here without attracting attention. Few in China, and fewer still abroad, understood that this was the nerve center of China’s ongoing cyber war against the West.

In his view, one shared by the general staff and party leaders, what took place within these walls was on par with China’s nuclear capability. In many ways it was superior, in Feng’s opinion, as China could always deny it existed. Deniability was the cornerstone of everything his team did.

But not all of China’s cyber warfare effort was under his control and that was a constant source of irritation. He’d argued repeatedly against the current approach, pointing out the inherent inefficiencies, misguided attacks, poor training, and overlapping efforts. More than once his team had penetrated a U.S. government computer with absolute stealth only to discover poorly written code implanted by another Chinese operation, one certain to be detected. And once alerted the IT team would find his as well. Worse, those other operations were not nearly as careful about not leaving behind trails back to China.

In the beginning, before the PLA fully appreciated cyber warfare’s potential and launched its own program here, the military had encouraged private hackers to attack the West. This was much like the old system of privateers the French and British had used in time of war, when civilian ships were given letters of marque, authorizing them to prey on the enemy’s merchant ships. The idea was to unleash against the West the potential of thousands of young Chinese, then glean the benefits.

These were the so-called Patriotic Hackers. They were freebooters authorized to be destructive, to spread malware throughout the West. No one knew what they did, really, and most of it in Feng’s view was a waste of time.

Malware was now openly sold in Chinese Web sites. Companies marketing it even offered an end-user license agreement and twenty-four-hour support services. Cutting edge exploits were commonly available. In some cases, buyers could carefully customize malware to fit their particular needs. A new hacker could specify if he wanted his malware to log keystrokes, to capture remote screens, to steal financial data, to remotely control a system, or some other undertaking. Sophisticated malware was sold off the digital shelf for as little as twenty dollars.

Feng had complained about such blatant marketing and had been told there was nothing to be done about it, that such activities were part of the price China paid for a more open economic system. But he’d not accepted the explanation. Someone, somewhere within the government he was certain, was pursuing this course to make it easier for the Patriotic Hackers.

The PLA made its first tentative move toward control when it organized Information Warfare Militia units. These were comprised of students, scientists, and IT professionals in research institutes, IT firms, university computer science departments, and even private computer clubs in China. Since inception they had developed a relatively mature cyber network in the West.

These groups were incredibly careless in Feng’s view. He’d spoken against them repeatedly. They maintained online journals were they openly discussed what they did. They had forums where they bragged about every penetration or new virus they’d created. True, they stole data, launched denial-of-service attacks, created digital havoc. All the while, they left evidence behind and failed to close the digital door too often, letting the Americans trace their penetration right back to China itself.

Not much came of that, of course. The Americans would complain, the Chinese would express shock that some of their young people would do such a thing and would promise to look into it. That was all. But it served to keep the Americans on their toes and it obstructed Feng’s more productive efforts far too often.

Though Feng had demonstrated repeatedly that such an approach was now outdated, it continued. At the least, the Information Warfare Militia units should have been abolished when his center was created. Feng had argued, with some success, that they had to be controlled. In a time of emergency they might attack the wrong targets or overreact. He’d been listened to, but not enough. There’d been changes, but they were insufficient.

Feng lit another cigarette and took in the mountain view again. The problem with this location were the Muslims, who comprised a quarter of the local population. The largest group, the Uyghurs, had taken to rioting in recent years, demanding increased rights, even independence from China. Feng had no doubt agitators were stirring them up. More than two hundred had been killed in the most recent demonstrations, many more simply disappeared.

Feng couldn’t look at a mosque, hear the call to prayer, or see a Uyghur in ethnic dress without feeling a wave of disgust. These people were Chinese, why didn’t they act like it?

At forty-three years of age, with short cropped graying hair and a slight paunch, Feng felt he was at the height of his competence. He was a short man at five feet six inches, not unusual for his generation but still below the average. These young men, he noticed, were tall and lean, with that healthy glow Feng wished he possessed. This was especially the case with those who’d lived and studied in the United States.

We’re making a new China, he often thought when regarding them, one complete with a new man.

He sighed. Despite his efforts against Stuxnet, his penetration of the American power grid, and his success with the United Nations, the American DOD remained his primary target — that and its extensive network of vendors. The Americans were still surprisingly lax with computer security but there were areas his very best people had been unable to reach. His superiors were becoming more and more insistent that he gain access. The Americans might wake up someday, that was always possible, but he was certain that by then he’d have gutted the DOD.

As for the UNOG penetration, he knew he couldn’t keep the failures of his own people a secret. There were plants among his staff. Beijing would learn of his failure. His stomach burned and he reached for an antacid.

His computer chimed. He clicked on the message and there was a photograph and a name, followed by a detailed biography of the man. He copied the material, then alerted the necessary people and made his request.

Feng sat back and lit another cigarette as he waited for his stomach to calm. All that work and then this guy comes along. He shook his head. Life just wasn’t fair.

15

Ahmed skipped class that morning. He was too tired to feign interest.

The blond Czech girl had exceeded his expectations in bed. He consistently found these Western women to be amazing. The only part of the experience he’d found unpleasant was discovering the large tattoo across her lower back bearing the name of an old boyfriend. Why did these women insist on marking themselves? And with a throwaway relationship? It was disgusting.

He showered, bundled the sheets and clothing to be washed later, then made breakfast. He lit his first cigarette of the day as he opened his net-book. He browsed several minutes, then promptly at 2:00 p.m. went to a Web site he entered from memory. It was down. He waited, then refreshed his browser. Still down. He waited a full minute this time, then refreshed again. There it was.

A porn site. He liked the pictures. He wanted to meet the man behind them someday as their taste was identical. But he wasn’t here for that. In the lower left-hand corner of the page was a small link in the form of a pulsating green ball. He clicked and it took him to a forum, or rather what was laid out like a forum. He hit his print tab and a small, fast printer clicked to life. In less than a minute, the forum was in hard copy. As he started to back out of the page to take another look at the pictures the Web site went down. He’d just made it.

Ahmed turned off the printer and computer, removed the pages, and moved to the small table to analyze them. He glanced at the calendar. It was the fourth month in the cycle so he went to the fourth entry on the forum. It was the eighth day. He went down eight lines. The line read, “… real? I think the babes are hot, hot, hot. I think you should post at least six new photos every…”

The number then was “six.” He moved his finger to the bottom of the forum, then carefully counted up six lines. He read, “… set up with phones for talk. I’d love to spend five hot minutes with…”

Phone. He straightened. Now that was something. He’d never been ordered to phone before — never.

Ahmed dressed, taking time to look good, pocketed cash from his dresser, retrieved a fresh pack of cigarettes, slung his backpack over his shoulder, then went for a walk. He stopped once for a coffee and studied the foot traffic from the way he’d come and spotted nothing. He went to a marketplace, wandered aimlessly, twice checking surreptitiously by pausing at windows and using their reflection. He emerged on the far side, then sat for more coffee and a cigarette. Again, he saw no familiar faces.

He’d expected none. He’d done nothing to attract interest since coming to Prague. He’d been very careful. Next, he took several short back streets, stopping again at a coffee shop he’d never been to for a sweet roll. He sat and ate, scanned back the way he’d come. He lit a cigarette and watched. Nothing.

Such caution had been ingrained in him before coming to Prague and Hamid reminded him during every visit to keep his guard up. The Crusader was everywhere and no one could be trusted. Not that there was anything special about him to attract attention. He went to his classes and was an attentive student. To the extent possible, he made his trips over long weekends in what would be the normal pattern for a student. He still visited some of the trendy nightclubs, especially when Saliha was out of town. It was best to appear secular.

He finished his cigarette and set off casually, shifting his backpack to his other shoulder as he once again scanned a narrow alley. Still nothing. He walked briskly to a small mall and went directly to a kiosk where he bought a phone and supply of minutes, paying in cash. Afterward, he made his way to Letna Park with its famous beer garden. Here he could sit alone on the grass well away from any pathway and observe the expanse all about him. A couple was taking in the spring sunshine but they were folding up their blanket when he sat down. Once they were gone he punched in the number.

Whoever he’d reached answered at once. It was a one-way conversation. Ahmed listened closely, locking the information into his memory, thinking he could detect Hamid’s voice at the other end but wasn’t certain. The man was a chameleon. The caller disconnected without pleasantries.

Ahmed rose and walked out of the park. Along the way he removed the SIM card, then took the extra precaution of dismantling the phone itself. He discarded the bits and pieces at various trash receptacles. As he crossed the bridge, he dropped the SIM card into the slow-moving waters of the Vltava River.

He made his way across town, stopping twice, once for a soft drink, but primarily to check his trail. Nothing.

He found the apartment building in an alleyway, one used by pedestrians. He’d told Karim to rent a place where he could blend in and the man had done a good job. There wasn’t a native Czech in sight. On the third floor, Ahmed used the key he’d been given, then entered the tiny room. Karim was out. No surprise. He didn’t get off work until five. Ahmed sat to wait patiently for the man to return, slowly working his way through his pack of cigarettes.

16

I want to advise you,” Frank Renkin said, “that we’ve got a very effective word-processing-based Trojan and as it potentially involves your area you should know about it.” As assistant director of Counter Cyber Research, he was responsible for informing the appropriate chiefs whenever anything came across his desk that might be of concern to their area.

Agnes Edinfield was chief of the Eastern Mediterranean Bureau in the Company. She was in her forties, fit if perhaps a bit overweight with short dark hair and dressed in a well-tailored dark pinstriped business suit. Though she had strong features she was a handsome woman.

“Which country?” she asked.

“Likely Iran — one way or another.” Frank gave her a brief summary of what he knew, the gist of which was that it appeared that the UNOG report they’d been anticipating on the Iranian nuclear weapons program had been doctored by means of the Trojan.

Everyone involved knew the significance of the report. After stalling for more than a decade the United Nations had finally indicated it was prepared to move. Frank understood that a source had, for its own reasons, elected to leak critical documents directly to the United Nations Office for Disarmament Affairs in Geneva. The information detailed the groundwork for concerted military action against the mullahs had already been anticipated.

“What changes?” she asked.

“We understand this was to be the final draft. The report is scheduled for release tomorrow. Now we learn that it has been altered to say there is no prospect of an imminent nuclear test.”

Edinfield grimaced. “Altered, you say?” Frank nodded slowly. “I take this as confirmation,” she continued, “if any was needed, that UNOG’s source had it right.”

Iran already possessed a midrange missile delivery system and was not that far from a long-range system that would extend their nuclear threat into Western Europe. The mere existence of such a system would profoundly alter the European Union’s position toward Iran and Israel. The immediacy of an actual nuclear test was the most vital problem either of them faced. Frank was not free to disclose it to her but the first test was reportedly in just two weeks. The Iranians had made remarkable progress since bringing their new computers online and establishing an air gap to protect them from Stuxnet. If nothing was done, all indications were that they’d be a nuclear power before the end of the month.

“We’ve not seen anything previously resembling this Trojan,” Frank continued. “It’s not like the infected PDF files we encountered before. In its own way, it’s as sophisticated as Stuxnet. When you open an infected OW file, the Trojan enters the computer. There it uses an entirely new method to conceal itself. Very clever.” He omitted the details. Edinfield would have no interest in them. “We’ve known this technique was coming for some time; now it’s here. It’s going to make our work much more difficult.”

“I’m sorry to hear that. Where’s it originate from?”

“We can’t confirm a source at this point. But its creator seems to be using it to try to influence events as the time comes for the release of this important report on the Iranian nuclear program. This is very clean stuff, Agnes, unlike almost everything we’ve seen and my people tell me that in their opinion it’s beyond the ability of the Iranian government. All of their computer expertise is dedicated to the nuclear weapons program and to combating the Stuxnet variants that continue to significantly hinder them.”

“How did this come to your attention?”

Frank brightened. “As I said, according to the author of the final draft of the UNOG report, his document was altered.”

Edinfield thought for a moment. “Can you do that?”

“Not without leaving tracks. In this case there are none.”

“I suppose he could be lying.”

“We’ll know soon enough. I’ve printed you copies of the original report, as the author says he sent it, and the one with the changes he denies making.” He laid them on her desk and Edinfield pulled them to her. “I had the changes analyzed. They systematically water down the report and finally give it a different conclusion altogether. They aren’t alterations you can dash off in a minute. It took talent and real effort, as well as a very sophisticated Trojan, though we’ve still not cracked the core of what it does. We’re just working around the fringes. I don’t know how events will play out at UNOG. So far this is tightly held information but that won’t last long.”

“Good job. Let me know what you learn when you can. By the way, where did you get the info?” Edinfield asked. The source of such information often told her a great deal and was always something useful to know.

“Daryl Haugen alerted us. We got lucky. The virus had a bug that caused OfficeWorks to crash, which alerted the IT staff and prompted their investigation. If that hadn’t happened, the altered document would be changing the course of events.”

Edinfield paused as she searched her memory. “Dr. Haugen? The one who worked for the National Security Agency?”

“That’s her.”

Edinfield thought a moment. She’d been involved in blunting, nearly stopping, the Al Qaeda cyber-attack on the West not that long ago. A great job all around, one the Company should have done, not an outsider. Then more of the story returned. “Didn’t she leave the NSA and go to work with Jeff Aiken?”

“They have a company, yes. The British Foreign Office brought Jeff in to troubleshoot this and they turned up the Trojan. Daryl has been working with him remotely and gave me a heads-up, passing along the code once it was identified.”

“I’ll have my people check into this from our side. Maybe there’s been some chatter that will be useful to you. Thanks for coming.”

Frank rose and went back to his office, feeling utterly exhausted. His team was getting to the heart of the Trojan, he was certain, but he still had a long night ahead of him. At his office, he instructed his assistant there were to be no interruptions for an hour. Inside, he stretched out on his couch, wondering briefly when he’d next go home.